Authentication and session management in modern web applications using JWT with rotating refresh tokens
DOI:
https://doi.org/10.46299/j.isjea.20260503.09Keywords:
authentication, session management, JSON Web Token, refresh token rotation, OWASP ASVS, httpOnly cookies, web application security, bcrypt, NestJS, full-stack TypeScriptAbstract
The exponential growth of single-page applications, progressive web applications, and decoupled API-driven web platforms has made stateless authentication a fundamental architectural concern. Traditional server-side session management, while well-understood and secure, imposes scaling constraints that are increasingly incompatible with the horizontal scaling requirements of modern cloud-native deployments. JSON Web Tokens have emerged as the dominant alternative, offering stateless verification and cross-domain support, but introducing distinct security challenges: token theft via cross-site scripting, lack of native revocation, and the fundamental tension between token lifetime and user convenience. This research examines a defense-in-depth authentication architecture combining short-lived access tokens with rotating refresh tokens stored as cryptographic hashes in a relational database. The proposed model addresses the trade-off between security and usability by maintaining sessions of practical duration while limiting the attack window of any single compromised access token to a maximum of fifteen minutes. Refresh token rotation, in which each successful refresh invalidates the prior token and issues a new pair, prevents long-term reuse of stolen credentials. Storage of tokens in httpOnly cookies with the SameSite=Lax attribute protects against the two primary client-side attack vectors—script-based exfiltration and cross-site request forgery—without imposing the operational complexity of dedicated CSRF tokens. The authentication subsystem was implemented and validated in a production-grade e-commerce platform built on Next.js 16 and NestJS 11 with the Prisma ORM over a SQLite backend, comprising 59 REST endpoints and 20 database models. Empirical measurement confirms that the architecture sustains authentication latency below 250 milliseconds for login operations and below 50 milliseconds for token refresh operations under typical load. The research evaluates seven layered security mechanisms aligned with OWASP ASVS Level 1, including bcrypt password hashing with cost factor 12, rate limiting on authentication endpoints, and content security policy headers. Results demonstrate that the proposed architecture provides a defensible balance between security guarantees and operational simplicity, applicable to small-to-medium e-commerce systems, microservice architectures, and resource-constrained deployments.
Downloads
Published
2026-06-01
How to Cite
Andrushchak, I., & Kupyra, B. (2026). Authentication and session management in modern web applications using JWT with rotating refresh tokens. International Science Journal of Engineering & Agriculture, 5(3), 93–106. https://doi.org/10.46299/j.isjea.20260503.09
Issue
Section
Information Technology
License
Copyright (c) 2026 Igor Andrushchak, Bohdan Kupyra
This work is licensed under a Creative Commons Attribution 4.0 International License.
